-Release Announcements
-=====================
+ ===============================
+ Release Notes for Samba 4.15.13
+ December 15, 2022
+ ===============================
-This is the first pre release of Samba 4.14. This is *not*
-intended for production environments and is designed for testing
-purposes only. Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
-Samba 4.14 will be the next version of the Samba suite.
+This is the latest stable release of the Samba 4.15 release series.
+It also contains security changes in order to address the following defects:
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+ RC4-HMAC Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
-UPGRADING
-=========
+ A Samba Active Directory DC will issue weak rc4-hmac
+ session keys for use between modern clients and servers
+ despite all modern Kerberos implementations supporting
+ the aes256-cts-hmac-sha1-96 cipher.
+
+ On Samba Active Directory DCs and members
+ 'kerberos encryption types = legacy' would force
+ rc4-hmac as a client even if the server supports
+ aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+ https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+ Kerberos Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A service account with the special constrained
+ delegation permission could forge a more powerful
+ ticket than the one it was presented with.
+
+ https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+ same algorithms as rc4-hmac cryptography in Kerberos,
+ and so must also be assumed to be weak.
+
+ https://www.samba.org/samba/security/CVE-2022-38023.html
+
+o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege
+ Vulnerability was disclosed by Microsoft on Nov 8 2022
+ and per RFC8429 it is assumed that rc4-hmac is weak,
+
+ Vulnerable Samba Active Directory DCs will issue rc4-hmac
+ encrypted tickets despite the target server supporting
+ better encryption (eg aes256-cts-hmac-sha1-96).
+
+ https://www.samba.org/samba/security/CVE-2022-45141.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-----------------------------------------------------
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow nt4 crypto Deprecated no
+ allow nt4 crypto:COMPUTERACCOUNT New
+ kdc default domain supported enctypes New (see manpage)
+ kdc supported enctypes New (see manpage)
+ kdc force enable rc4 weak session keys New No
+ reject md5 clients New Default, Deprecated Yes
+ reject md5 servers New Default, Deprecated Yes
+ server schannel Deprecated Yes
+ server schannel require seal New, Deprecated Yes
+ server schannel require seal:COMPUTERACCOUNT New
+ winbind sealed pipes Deprecated Yes
+
+Changes since 4.15.12
+---------------------
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15240: CVE-2022-38023.
+
+o Luke Howard <lukeh@padl.com>
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
+ Windows.
+ * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
+ vulnerability.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15240: CVE-2022-38023.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15237: CVE-2022-37966.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15231: CVE-2022-37967.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico@cryptonector.com>
+ * BUG 15214: CVE-2022-45141.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico@twosigma.com>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+ ===============================
+ Release Notes for Samba 4.15.12
+ November 15, 2022
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
+ integer overflows when parsing a PAC on a 32-bit system, which
+ allowed an attacker with a forged PAC to corrupt the heap.
+ https://www.samba.org/samba/security/CVE-2022-42898.html
+
+Changes since 4.15.11
+---------------------
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15203: CVE-2022-42898
+
+o Nicolas Williams <nico@twosigma.com>
+ * BUG 15203: CVE-2022-42898
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ===============================
+ Release Notes for Samba 4.15.11
+ October 25, 2022
+ ===============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
+ unwrap_des() and unwrap_des3() routines of Heimdal (included
+ in Samba).
+ https://www.samba.org/samba/security/CVE-2022-3437.html
+
+Changes since 4.15.10
+---------------------
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
+ 4.15.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
+ 4.15.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15134: CVE-2022-3437.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ===============================
+ Release Notes for Samba 4.15.10
+ September 28, 2022
+ ===============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.9
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15128: Possible use after free of connection_struct when iterating
+ smbd_server_connection->connections.
+ * BUG 15174: smbXsrv_connection_shutdown_send result leaked.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15086: Spotlight RPC service returns wrong response when Spotlight is
+ disabled on a share.
+ * BUG 15126: acl_xattr VFS module may unintentionally use filesystem
+ permissions instead of ACL from xattr.
+ * BUG 15153: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1.
+ * BUG 15161: assert failed: !is_named_stream(smb_fname)") at
+ ../../lib/util/fault.c:197.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15148: Missing READ_LEASE break could cause data corruption.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15124: rpcclient can crash using setuserinfo(2).
+ * BUG 15132: Samba fails to build with glibc 2.36 caused by including
+ <sys/mount.h> in libreplace.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15152: SMB1 negotiation can fail to handle connection errors.
+
+o Michael Tokarev <mjt@tls.msk.ru>
+ * BUG 15078: samba-tool domain join segfault when joining a samba ad domain.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.9
+ July 27, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with
+ changing passwords.
+ https://www.samba.org/samba/security/CVE-2022-2031.html
+
+o CVE-2022-32744: Samba AD users can forge password change requests for any user.
+ https://www.samba.org/samba/security/CVE-2022-32744.html
+
+o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
+ or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32745.html
+
+o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
+ process with an LDAP add or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32746.html
+
+o CVE-2022-32742: Server memory information leak via SMB1.
+ https://www.samba.org/samba/security/CVE-2022-32742.html
+
+Changes since 4.15.8
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15085: CVE-2022-32742.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15009: CVE-2022-32746.
+
+o Isaac Boukris <iboukris@gmail.com>
+ * BUG 15047: CVE-2022-2031.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15047: CVE-2022-2031.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15008: CVE-2022-32745.
+ * BUG 15009: CVE-2022-32746.
+ * BUG 15047: CVE-2022-2031.
+ * BUG 15074: CVE-2022-32744.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.8
+ June 28, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.7
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15042: Use pathref fd instead of io fd in vfs_default_durable_cookie.
+ * BUG 15099: Setting fruit:resource = stream in vfs_fruit causes a panic.
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 14986: Add support for bind 9.18.
+ * BUG 15076: logging dsdb audit to specific files does not work.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15069: vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
+ file had been deleted.
+
+o Samuel Cabrero <scabrero@samba.org>
+ * BUG 15087: netgroups support removed.
+
+o Samuel Cabrero <scabrero@suse.de>
+ * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
+ server.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15071: waf produces incorrect names for python extensions with Python
+ 3.11.
+
+o Noel Power <noel.power@suse.com>
+ * BUG 15100: smbclient commands del & deltree fail with
+ NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS.
+
+o Christof Schmitt <cs@samba.org>
+ * BUG 15055: vfs_gpfs recalls=no option prevents listing files.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15071: waf produces incorrect names for python extensions with Python
+ 3.11.
+ * BUG 15091: Compile error in source3/utils/regedit_hexedit.c.
+ * BUG 15108: ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link.
+
+o Andreas Schneider <asn@cryptomilk.org>
+ * BUG 15054: smbd doesn't handle UPNs for looking up names.
+
+o Robert Sprowson <webpages@sprow.co.uk>
+ * BUG 14443: Out-by-4 error in smbd read reply max_send clamp.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.7
+ April 26, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.6
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14831: Share and server swapped in smbget password prompt.
+ * BUG 15022: Durable handles won't reconnect if the leased file is written
+ to.
+ * BUG 15023: rmdir silently fails if directory contains unreadable files and
+ hide unreadable is yes.
+ * BUG 15038: SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information on
+ renamed file handle.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14957: vfs_shadow_copy2 breaks "smbd async dosmode" sync fallback.
+ * BUG 15035: shadow_copy2 fails listing snapshotted dirs with
+ shadow:fixinodes.
+
+o Samuel Cabrero <scabrero@samba.org>
+ * BUG 15046: PAM Kerberos authentication incorrectly fails with a clock skew
+ error.
+
+o Pavel Filipenský <pfilipen@redhat.com>
+ * BUG 15041: username map - samba erroneously applies unix group memberships
+ to user account entries.
+
+o Elia Geretto <elia.f.geretto@gmail.com>
+ * BUG 14983: NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
+ in SMBC_server_internal.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
+ users).
+ * BUG 14641: Crash of winbind on RODC.
+ * BUG 14865: uncached logon on RODC always fails once.
+ * BUG 14951: KVNO off by 100000.
+ * BUG 15001: LDAP simple binds should honour "old password allowed period".
+ * BUG 15003: wbinfo -a doesn't work reliable with upn names.
+
+o Garming Sam <garming@catalyst.net.nz>
+ * BUG 13879: Simple bind doesn't work against an RODC (with non-preloaded
+ users).
+
+o Christof Schmitt <cs@samba.org>
+ * BUG 15027: Uninitialized litemask in variable in vfs_gpfs module.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15016: Regression: create krb5 conf = yes doesn't work with a single
+ KDC.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.6
+ March 15, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.5
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14169: Renaming file on DFS root fails with
+ NT_STATUS_OBJECT_PATH_NOT_FOUND.
+ * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
+ objects with same lease key.
+ * BUG 14938: NT error code is not set when overwriting a file during rename
+ in libsmbclient.
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 14996: Fix ldap simple bind with TLS auditing.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14674: net ads info shows LDAP Server: 0.0.0.0 depending on contacted
+ server.
+
+o Samuel Cabrero <scabrero@suse.de>
+ * BUG 14979: Problem when winbind renews Kerberos.
+
+o Günther Deschner <gd@samba.org>
+ * BUG 8691: pam_winbind will not allow gdm login if password about to expire.
+
+o Pavel Filipenský <pfilipen@redhat.com>
+ * BUG 14971: virusfilter_vfs_openat: Not scanned: Directory or special file.
+
+o Björn Jacke <bj@sernet.de>
+ * BUG 13631: DFS fix for AIX broken.
+ * BUG 14974: Solaris and AIX acl modules: wrong function arguments.
+ * BUG 7239: Function aixacl_sys_acl_get_file not declared / coredump.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 14900: Regression: Samba 4.15.2 on macOS segfaults intermittently
+ during strcpy in tdbsam_getsampwnam.
+ * BUG 14989: Fix a use-after-free in SMB1 server.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14968: smb2_signing_decrypt_pdu() may not decrypt with
+ gnutls_aead_cipher_decrypt() from gnutls before 3.5.2.
+ * BUG 14984: changing the machine password against an RODC likely destroys
+ the domain join.
+ * BUG 14993: authsam_make_user_info_dc() steals memory from its struct
+ ldb_message *msg argument.
+ * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14967: Samba autorid fails to map AD users if id rangesize fits in the
+ id range only once.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.5
+ January 31, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target
+ of a symlink exists.
+ https://www.samba.org/samba/security/CVE-2021-44141.html
+
+o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
+ https://www.samba.org/samba/security/CVE-2021-44142.html
+
+o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
+ https://www.samba.org/samba/security/CVE-2022-0336.html
+
+
+Changes since 4.15.4
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14911: CVE-2021-44141
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14914: CVE-2021-44142
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14950: CVE-2022-0336
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.4
+ January 19, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.3
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
+ poisoning.
+ * BUG 14939: smbclient -L doesn't set "client max protocol" to NT1 before
+ calling the "Reconnecting with SMB1 for workgroup listing" path.
+ * BUG 14944: Missing pop_sec_ctx() in error path inside close_directory().
+
+o Pavel Filipenský <pfilipen@redhat.com>
+ * BUG 14940: Cross device copy of the crossrename module always fails.
+ * BUG 14941: symlinkat function from VFS cap module always fails with an
+ error.
+ * BUG 14942: Fix possible fsp pointer deference.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 14934: kill_tcp_connections does not work.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14932: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
+ NT_STATUS_BUFFER_TOO_SMALL.
+ * BUG 14935: Can't connect to Windows shares not requiring authentication
+ using KDE/Gnome.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14945: "smbd --build-options" no longer works without an smb.conf file.
+
+o Jones Syue <jonessyue@qnap.com>
+ * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
+ poisoning.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.3
+ December 08, 2021
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+Important Notes
+===============
+
+There have been a few regressions in the security release 4.15.2:
+
+o CVE-2020-25717: A user on the domain can become root on domain members.
+ https://www.samba.org/samba/security/CVE-2020-25717.html
+ PLEASE [RE-]READ!
+ The instructions have been updated and some workarounds
+ initially adviced for 4.15.2 are no longer required and
+ should be reverted in most cases.
+
+o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
+ un-deletable. While this release should fix this bug, it is
+ adviced to have a look at the bug report for more detailed
+ information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
+
+Changes since 4.15.2
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14878: Recursive directory delete with veto files is broken in 4.15.0.
+ * BUG 14879: A directory containing dangling symlinks cannot be deleted by
+ SMB2 alone when they are the only entry in the directory.
+ * BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used
+ uninitialized in rmdir_internals().
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
+ * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+ * BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become
+ un-deletable.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk.
+ * BUG 14882: smbXsrv_client_global record validation leads to crash if
+ existing record points at non-existing process.
+ * BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call.
+ * BUG 14897: Samba process doesn't log to logfile.
+ * BUG 14907: set_ea_dos_attribute() fallback calling
+ get_file_handle_for_metadata() triggers locking.tdb assert.
+ * BUG 14922: Kerberos authentication on standalone server in MIT realm
+ broken.
+ * BUG 14923: Segmentation fault when joining the domain.
+
+o Alexander Bokovoy <ab@samba.org>
+ * BUG 14903: Support for ROLE_IPA_DC is incomplete.
+
+o Günther Deschner <gd@samba.org>
+ * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore
+ * BUG 14893: winexe crashes since 4.15.0 after popt parsing.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 14908: net ads status -P broken in a clustered environment.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
+ smbd_smb2_ioctl_send.
+ * BUG 14882: smbXsrv_client_global record validation leads to crash if
+ existing record points at non-existing process.
+ * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
+ * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore.
+ * BUG 14883: smbclient login without password using '-N' fails with
+ NT_STATUS_INVALID_PARAMETER on Samba AD DC.
+ * BUG 14912: A schannel client incorrectly detects a downgrade connecting to
+ an AES only server.
+ * BUG 14921: Possible null pointer dereference in winbind.
+
+o Andreas Schneider <asn@cryptomilk.org>
+ * BUG 14846: Fix -k legacy option for client tools like smbclient, rpcclient,
+ net, etc.
+
+o Martin Schwenke <martin@meltin.net>
+ * BUG 14872: Add Debian 11 CI bootstrap support.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP.
+ * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+
+o Andrew Walker <awalker@ixsystems.com>
+ * BUG 14888: Crash in recycle_unlink_internal().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.15.2
+ November 9, 2021
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext
+ authentication.
+ https://www.samba.org/samba/security/CVE-2016-2124.html
+
+o CVE-2020-25717: A user on the domain can become root on domain members.
+ https://www.samba.org/samba/security/CVE-2020-25717.html
+ (PLEASE READ! There are important behaviour changes described)
+
+o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
+ by an RODC.
+ https://www.samba.org/samba/security/CVE-2020-25718.html
+
+o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
+ tickets.
+ https://www.samba.org/samba/security/CVE-2020-25719.html
+
+o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
+ (eg objectSid).
+ https://www.samba.org/samba/security/CVE-2020-25721.html
+
+o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
+ checking of data stored.
+ https://www.samba.org/samba/security/CVE-2020-25722.html
+
+o CVE-2021-3738: Use after free in Samba AD DC RPC server.
+ https://www.samba.org/samba/security/CVE-2021-3738.html
+
+o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
+ https://www.samba.org/samba/security/CVE-2021-23192.html
+
+
+Changes since 4.15.1
+--------------------
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * CVE-2020-25722
+
+o Andrew Bartlett <abartlet@samba.org>
+ * CVE-2020-25718
+ * CVE-2020-25719
+ * CVE-2020-25721
+ * CVE-2020-25722
+
+o Ralph Boehme <slow@samba.org>
+ * CVE-2020-25717
+
+o Alexander Bokovoy <ab@samba.org>
+ * CVE-2020-25717
+
+o Samuel Cabrero <scabrero@samba.org>
+ * CVE-2020-25717
+
+o Nadezhda Ivanova <nivanova@symas.com>
+ * CVE-2020-25722
+
+o Stefan Metzmacher <metze@samba.org>
+ * CVE-2016-2124
+ * CVE-2020-25717
+ * CVE-2020-25719
+ * CVE-2020-25722
+ * CVE-2021-23192
+ * CVE-2021-3738
+
+o Andreas Schneider <asn@samba.org>
+ * CVE-2020-25719
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * CVE-2020-17049
+ * CVE-2020-25718
+ * CVE-2020-25719
+ * CVE-2020-25721
+ * CVE-2020-25722
+ * MS CVE-2020-17049
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
+ Release Notes for Samba 4.15.1
+ October 27, 2021
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.0
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
+ * BUG 14685: Log clutter from filename_convert_internal.
+ * BUG 14862: MacOSX compilation fixes.
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 14868: rodc_rwdc test flaps.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+ * BUG 14836: Python ldb.msg_diff() memory handling failure.
+ * BUG 14845: "in" operator on ldb.Message is case sensitive.
+ * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1.
+ * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
+ * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+ * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14826: Correctly ignore comments in CTDB public addresses file.
+
+o Isaac Boukris <iboukris@gmail.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+
+o Viktor Dukhovni <viktor@twosigma.com>
+ * BUG 12998: Fix transit path validation.
+
+o Pavel Filipenský <pfilipen@redhat.com>
+ * BUG 14852: Fix that child winbindd logs to log.winbindd instead of
+ log.wb-<DOMAIN>.
+
+o Luke Howard <lukeh@padl.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14855: SMB3 cancel requests should only include the MID together with
+ AsyncID when AES-128-GMAC is used.
+
+o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
+ * BUG 14862: MacOSX compilation fixes.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
+
+o Martin Schwenke <martin@meltin.net>
+ * BUG 14826: Correctly ignore comments in CTDB public addresses file.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+ * BUG 14836: Python ldb.msg_diff() memory handling failure.
+ * BUG 14845: "in" operator on ldb.Message is case sensitive.
+ * BUG 14864: Heimdal prefers RC4 over AES for machine accounts.
+ * BUG 14868: rodc_rwdc test flaps.
+ * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+ * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+
+o Nicolas Williams <nico@twosigma.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+ ==============================
+ Release Notes for Samba 4.15.0
+ September 20, 2021
+ ==============================
+
+
+This is the first stable release of the Samba 4.15 release series.
+Please read the release notes carefully before upgrading.
+
+
+Removed SMB (development) dialects
+==================================
+
+The following SMB (development) dialects are no longer
+supported: SMB2_22, SMB2_24 and SMB3_10. They are were
+only supported by Windows technical preview builds.
+They used to be useful in order to test against the
+latest Windows versions, but it's no longer useful
+to have them. If you have them explicitly specified
+in your smb.conf or an the command line,
+you need to replace them like this:
+- SMB2_22 => SMB3_00
+- SMB2_24 => SMB3_00
+- SMB3_10 => SMB3_11
+Note that it's typically not useful to specify
+"client max protocol" or "server max protocol"
+explicitly to a specific dialect, just leave
+them unspecified or specify the value "default".
+
+New GPG key
+===========
+
+The GPG release key for Samba releases changed from:
+
+pub dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
+ Key fingerprint = 52FB C0B8 6D95 4B08 4332 4CDC 6F33 915B 6568 B7EA
+uid [ full ] Samba Distribution Verification Key <samba-bugs@samba.org>
+sub elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
+
+to the following new key:
+
+pub rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
+ Key fingerprint = 81F5 E283 2BD2 545A 1897 B713 AA99 442F B680 B620
+uid [ultimate] Samba Distribution Verification Key <samba-bugs@samba.org>
+sub rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
+
+Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
+
+See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
+
+New minimum version for the experimental MIT KDC
+================================================
+
+The build of the AD DC using the system MIT Kerberos, an
+experimental feature, now requires MIT Kerberos 1.19. An up-to-date
+Fedora 34 has this version and has backported fixes for the KDC crash
+bugs CVE-2021-37750 and CVE-2021-36222
NEW FEATURES/CHANGES
====================
-Here is a copy of a clarification note added to the Samba code
-in the file: VFS-License-clarification.txt.
---------------------------------------------------------------
-
-A clarification of our GNU GPL License enforcement boundary within the Samba
-Virtual File System (VFS) layer.
-
-Samba is licensed under the GNU GPL. All code committed to the Samba
-project or that creates a "modified version" or software "based on" Samba must
-be either licensed under the GNU GPL or a compatible license.
-
-Samba has several plug-in interfaces where external code may be called
-from Samba GNU GPL licensed code. The most important of these is the
-Samba VFS layer.
-
-Samba VFS modules are intimately connected by header files and API
-definitions to the part of the Samba code that provides file services,
-and as such, code that implements a plug-in Samba VFS module must be
-licensed under the GNU GPL or a compatible license.
-
-However, Samba VFS modules may themselves call third-party external
-libraries that are not part of the Samba project and are externally
-developed and maintained.
-
-As long as these third-party external libraries do not use any of the
-Samba internal structure, APIs or interface definitions created by the
-Samba project (to the extent that they would be considered subject to the GNU
-GPL), then the Samba Team will not consider such third-party external
-libraries called from Samba VFS modules as "based on" and/or creating a
-"modified version" of the Samba code for the purposes of GNU GPL.
-Accordingly, we do not require such libraries be licensed under the GNU GPL
-or a GNU GPL compatible license.
-
-
-Printing
---------
-
-Publishing printers in AD is more reliable and more printer features are
-added to the published information in AD. Samba now also supports Windows
-drivers for the ARM64 architecture.
-
-
-Client Group Policy
--------------------
-This release extends Samba to support Group Policy functionality for Winbind
-clients. Active Directory Administrators can set policies that apply Sudoers
-configuration, and cron jobs to run hourly, daily, weekly or monthly.
-
-To enable the application of Group Policies on a client, set the global
-smb.conf option 'apply group policies' to 'yes'. Policies are applied on an
-interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
-
-Policies applied by Samba are 'non-tattooing', meaning that changes can be
-reverted by executing the `samba-gpupdate --unapply` command. Policies can be
-re-applied using the `samba-gpupdate --force` command.
-To view what policies have been or will be applied to a system, use the
-`samba-gpupdate --rsop` command.
-
-Administration of Samba policy requires that a Samba ADMX template be uploaded
-to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
-provided as a convenient method for adding this policy. Once uploaded, policies
-can be modified in the Group Policy Management Editor under Computer
-Configuration/Policies/Administrative Templates. Alternatively, Samba policy
-may be managed using the `samba-tool gpo manage` command. This tool does not
-require the admx templates to be installed.
-
-CTDB CHANGES
-============
+VFS
+---
-* The NAT gateway and LVS features now uses the term "leader" to refer
- to the main node in a group through which traffic is routed and
- "follower" for other members of a group. The command for
- determining the leader has changed to "ctdb natgw leader" (from
- "ctdb natgw master"). The configuration keyword for indicating that
- a node can not be the leader of a group has changed to
- "follower-only" (from "slave-only"). Identical changes were made
- for LVS.
+The effort to modernize Samba's VFS interface is complete and Samba 4.15.0 ships
+with a modernized VFS designed for the post SMB1 world.
-* Remove "ctdb isnotrecmaster" command. It isn't used by CTDB's
- scripts and can be checked by users with "ctdb pnn" and "ctdb
- recmaster".
+For details please refer to the documentation at source3/modules/The_New_VFS.txt
+or visit the <https://wiki.samba.org/index.php/The_New_VFS>.
-Python 3.6 or later required
-----------------------------
-Samba's minimum runtime requirement for python was raised to Python
-3.6 with samba 4.13. Samba 4.14 raises this minimum version to Python
-3.6 also to build Samba. It is no longer possible to build Samba
-(even just the file server) with Python versions 2.6 and 2.7.
+Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
+---------------------------------------------------------------------------
-As Python 2.7 has been End Of Life upstream since April 2020, Samba
-is dropping ALL Python 2.x support in this release.
+Up to now, any client could use a DNS zone transfer request to the
+bind server, and get an answer from Samba. Now the default behaviour
+will be to deny those request. Two new options have been added to
+manage the list of authorized/denied clients for zone transfer
+requests. In order to be accepted, the request must be issued by a
+client that is in the allow list and NOT in the deny list.
-NT4-like 'classic' Samba domain controllers
--------------------------------------------
+"server multi channel support" no longer experimental
+-----------------------------------------------------
-Samba 4.13 deprecates Samba's original domain controller mode.
+This option is enabled by default starting with 4.15 (on Linux and FreeBSD).
+Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible
+to use this feature on Linux and FreeBSD for now.
-Sites using Samba as a Domain Controller should upgrade from the
-NT4-like 'classic' Domain Controller to a Samba Active Directory DC
-to ensure full operation with modern windows clients.
-SMBv1 only protocol options deprecated
+samba-tool available without the ad-dc
--------------------------------------
-A number of smb.conf parameters for less-secure authentication methods
-which are only possible over SMBv1 are deprecated in this release.
+The 'samba-tool' command is now available when samba is configured
+"--without-ad-dc". Not all features will work, and some ad-dc specific options
+have been disabled. The 'samba-tool domain' options, for example, are limited
+when no ad-dc is present. Samba must still be built with ads in order to enable
+'samba-tool'.
+
+
+Improved command line user experience
+-------------------------------------
+
+Samba utilities did not consistently implement their command line interface. A
+number of options were requiring to specify values in one tool and not in the
+other, some options meant different in different tools.
+
+These should be stories of the past now. A new command line parser has been
+implemented with sanity checking. Also the command line interface has been
+simplified and provides better control for encryption, signing and kerberos.
+
+Previously many tools silently ignored unknown options. To prevent unexpected
+behaviour all tools will now consistently reject unknown options.
+
+Also several command line options have a smb.conf variable to control the
+default now.
+
+All tools are now logging to stderr by default. You can use "--debug-stdout" to
+change the behavior. All servers will log to stderr at early startup until logging
+is setup to go to a file by default.
+
+### Common parser:
+
+Options added:
+--client-protection=off|sign|encrypt
+
+Options renamed:
+--kerberos -> --use-kerberos=required|desired|off
+--krb5-ccache -> --use-krb5-ccache=CCACHE
+--scope -> --netbios-scope=SCOPE
+--use-ccache -> --use-winbind-ccache
+
+Options removed:
+-e|--encrypt
+-C removed from --use-winbind-ccache
+-i removed from --netbios-scope
+-S|--signing
+
+
+### Duplicates in command line utils
+
+ldbadd/ldbdel/ldbedit/ldbmodify/ldbrename/ldbsearch:
+-e is still available as an alias for --editor,
+ as it used to be.
+-s is no longer reported as an alias for --configfile,
+ it never worked that way as it was shadowed by '-s' for '--scope'.
+
+ndrdump:
+-l is not available for --load-dso anymore
+
+net:
+-l is not available for --long anymore
+
+sharesec:
+-V is not available for --viewsddl anymore
+
+smbcquotas:
+--user -> --quota-user
+
+nmbd:
+--log-stdout -> --debug-stdout
+
+smbd:
+--log-stdout -> --debug-stdout
+
+winbindd:
+--log-stdout -> --debug-stdout
+
+
+Scanning of trusted domains and enterprise principals
+-----------------------------------------------------
+
+As an artifact from the NT4 times, we still scanned the list of trusted domains
+on winbindd startup. This is wrong as we never can get a full picture in Active
+Directory. It is time to change the default value to "No". Also with this change
+we always use enterprise principals for Kerberos so that the DC will be able
+to redirect ticket requests to the right DC. This is e.g. needed for one way
+trusts. The options `winbind use krb5 enterprise principals` and
+`winbind scan trusted domains` will be deprecated in one of the next releases.
+
+
+Support for Offline Domain Join (ODJ)
+-------------------------------------
+
+The net utility is now able to support the offline domain join feature
+as known from the Windows djoin.exe command for many years. Samba's
+implementation is accessible via the 'net offlinejoin' subcommand. It
+can provision computers and request offline joining for both Windows
+and Unix machines. It is also possible to provision computers from
+Windows (using djoin.exe) and use the generated data in Samba's 'net'
+utility. The existing options for the provisioning and joining steps
+are documented in the net(8) manpage.
+
+
+'samba-tool dns zoneoptions' for aging control
+----------------------------------------------
+
+The 'samba-tool dns zoneoptions' command can be used to turn aging on
+and off, alter the refresh and no-refresh periods, and manipulate the
+timestamps of existing records.
+
+To turn aging on for a zone, you can use something like this:
+
+ samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
+
+which turns on aging and ensures no records less than five years old
+are aged out and scavenged. After aging has been on for sufficient
+time for records to be renewed, the command
+
+ samba-tool dns zoneoptions --refreshinterval=168
+
+will set the refresh period to the standard seven days. Using this two
+step process will help prevent the temporary loss of dynamic records
+if scavenging happens before their first renewal.
+
+
+Marking old records as static or dynamic with 'samba-tool'
+----------------------------------------------------------
+
+A bug in Samba versions prior to 4.9 meant records that were meant to
+be static were marked as dynamic and vice versa. To fix the timestamps
+in these domains, it is possible to use the following options,
+preferably before turning aging on.
+
+ --mark-old-records-static
+ --mark-records-dynamic-regex
+ --mark-records-static-regex
+
+The "--mark-old-records-static" option will make records older than the
+specified date static (that is, with a zero timestamp). For example,
+if you upgraded to Samba 4.9 in November 2018, you could use ensure no
+old records will be mistakenly interpreted as dynamic using the
+following option:
+
+ samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
+
+Then, if you know that that will have marked some records as static
+that should be dynamic, and you know which those are due to your
+naming scheme, you can use commands like:
+
+ samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
+
+where '\w+-desktop' is a perl-compatible regular expression that will
+match 'bob-desktop', 'alice-desktop', and so on.
+
+These options are deliberately long and cumbersome to type, so people
+have a chance to think before they get to the end. You can make a
+mess if you get it wrong.
+
+All 'samba-tool dns zoneoptions' modes can be given a "--dry-run/-n"
+argument that allows you to inspect the likely results before going
+ahead.
+
+NOTE: for aging to work, you need to have "dns zone scavenging = yes"
+set in the smb.conf of at least one server.
+
+
+DNS tombstones are now deleted as appropriate
+---------------------------------------------
+
+When all the records for a DNS name have been deleted, the node is put
+in a tombstoned state (separate from general AD object tombstoning,
+which deleted nodes also go through). These tombstones should be
+cleaned up periodically. Due to a conflation of scavenging and
+tombstoning, we have only been deleting tombstones when aging is
+enabled.
+
+If you have a lot of tombstoned DNS nodes (that is, DNS names for
+which you have removed all the records), cleaning up these DNS
+tombstones may take a noticeable time.
+
+
+DNS tombstones use a consistent timestamp format
+------------------------------------------------
+
+DNS records use an hours-since-1601 timestamp format except for in the
+case of tombstone records where a 100-nanosecond-intervals-since-1601
+format is used (this latter format being the most common in Windows).
+We had mixed that up, which might have had strange effects in zones
+where aging was enabled (and hence tombstone timestamps were used).
+
+
+samba-tool dns update and RPC changes
+-------------------------------------
+
+The dnsserver DCERPC pipe can be used by 'samba-tool' and Windows tools
+to manipulate dns records on the remote server. A bug in Samba meant
+it was not possible to update an existing DNS record to change the
+TTL. The general behaviour of RPC updates is now closer to that of
+Windows.
+
+'samba-tool dns update' is now a bit more careful in rejecting and
+warning you about malformed IPv4 and IPv6 addresses.
+
+CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
+-----------------------------------------------------------------------
+
+An unuthenticated user can crash the AD DC KDC by omitting the server
+name in a TGS-REQ. Per Samba's updated security process a specific
+security release was not made for this issue as it is a recoverable
+Denial Of Service.
+
+See https://wiki.samba.org/index.php/Samba_Security_Proces
+
+samba-tool domain backup offline with the LMDB backend
+------------------------------------------------------
+
+samba-tool domain backup offline, when operating with the LMDB backend
+now correctly takes out locks against concurrent modification of the
+database during the backup. If you use this tool on a Samba AD DC
+using LMDB, you should upgrade to this release for safer backups.
REMOVED FEATURES
================
-The deprecated "ldap ssl ads" smb.conf option has been removed.
+Tru64 ACL support has been removed from this release. The last
+supported release of Tru64 UNIX was in 2012.
+
+NIS support has been removed from this release. This is not
+available in Linux distributions anymore.
+
+The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
+which have been out of support since 2018.
+
smb.conf changes
================
- Parameter Name Description Default
- -------------- ----------- -------
- smb encrypt Removed
- ldap ssl ads Removed
- client plaintext auth Deprecated no
- client NTLMv2 auth Deprecated yes
- client lanman auth Deprecated no
- client use spnego Deprecated yes
- domain logons Deprecated no
- raw NTLMv2 auth Deprecated no
- async dns timeout New 10
- client smb encrypt New default
- honor change notify privilege New No
- smbd force process locks New No
- server smb encrypt New default
+ Parameter Name Description Default
+ -------------- ----------- -------
+ client use kerberos New desired
+ client max protocol Values Removed
+ client min protocol Values Removed
+ client protection New default
+ client smb3 signing algorithms New see man smb.conf
+ client smb3 encryption algorithms New see man smb.conf
+ preopen:posix-basic-regex New No
+ preopen:nomatch_log_level New 5
+ preopen:match_log_level New 5
+ preopen:nodigits_log_level New 1
+ preopen:founddigits_log_level New 3
+ preopen:reset_log_level New 5
+ preopen:push_log_level New 3
+ preopen:queue_log_level New 10
+ server max protocol Values Removed
+ server min protocol Values Removed
+ server multi channel support Changed Yes (on Linux and FreeBSD)
+ server smb3 signing algorithms New see man smb.conf
+ server smb3 encryption algorithms New see man smb.conf
+ winbind use krb5 enterprise principals Changed Yes
+ winbind scan trusted domains Changed No
+
+
+CHANGES SINCE 4.15.0rc6
+=======================
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14791: All the ways to specify a password are not documented.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14790: vfs_btrfs compression support broken.
+ * BUG 14828: Problems with commandline parsing.
+ * BUG 14829: smbd crashes when "ea support" is set to no.
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14825: "{client,server} smb3 {signing,encryption} algorithms" should
+ use the same strings as smbstatus output.
+ * BUG 14828: Problems with commandline parsing.
+
+o Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
+ * BUG 8773: smbd fails to run as root because it belongs to more than 16
+ groups on MacOS X.
+
+o Martin Schwenke <martin@meltin.net>
+ * BUG 14784: Fix CTDB flag/status update race conditions.
+
+
+CHANGES SINCE 4.15.0rc5
+=======================
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14806: Address a signifcant performance regression in database access
+ in the AD DC since Samba 4.12.
+ * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
+ Samba 4.9 by using an explicit database handle cache.
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+ * BUG 14818: Address flapping samba_tool_drs_showrepl test.
+ * BUG 14819: Address flapping dsdb_schema_attributes test.
+
+o Luke Howard <lukeh@padl.com>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Gary Lockyer <gary@catalyst.net.nz>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+
+CHANGES SINCE 4.15.0rc4
+=======================
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14809: Shares with variable substitutions cause core dump upon
+ connection from MacOS Big Sur 11.5.2.
+ * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
+ build.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 14815: A subset of tests from Samba's selftest system were not being
+ run, while others were run twice.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
+ * BUG 14787: net conf list crashes when run as normal user,
+ * BUG 14803: smbd/winbindd started in daemon mode generate output on
+ stderr/stdout.
+ * BUG 14804: winbindd can crash because idmap child state is not fully
+ initialized.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
+
+
+CHANGES SINCE 4.15.0rc3
+=======================
+
+o Bjoern Jacke <bj@sernet.de>
+ * BUG 14800: util_sock: fix assignment of sa_socklen.
+
+
+CHANGES SINCE 4.15.0rc2
+=======================
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14760: vfs_streams_depot directory creation permissions and store
+ location problems.
+ * BUG 14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
+ * BUG 14769: smbd panic on force-close share during offload write.
+ * BUG 14805: OpenDir() loses the correct errno return.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14795: copy_file_range() may fail with EOPNOTSUPP.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14793: Start the SMB encryption as soon as possible.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14779: Winbind should not start if the socket path is too long.
+
+o Noel Power <noel.power@suse.com>
+ * BUG 14760: vfs_streams_depot directory creation permissions and store
+ location problems.
+
+
+CHANGES SINCE 4.15.0rc1
+=======================
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 14768: smbd/winbind should load the registry if configured
+ * BUG 14777: do not quote passed argument of configure script
+ * BUG 14779: Winbind should not start if the socket path is too long
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
+ * BUG 14764: aes-256-gcm and aes-256-ccm doesn't work in the server
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 14700: file owner not available when file unredable
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 14607: tree connect failed: NT_STATUS_INVALID_PARAMETER
+ * BUG 14759: 4.15rc can leak meta-data about the directory containing the
+ share path
KNOWN ISSUES
============
-https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.14#Release_blocking_bugs
+https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.15#Release_blocking_bugs
#######################################
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
git.samba.org / samba.git / blobdiff